I'm trying to add bindings to service accounts for Workload Identity through the module in the following way:
module "vault_service_account" {
source = "terraform-google-modules/service-accounts/google"
version = "2.0.2"
# Project to create service account in
project_id = data.terraform_remote_state.project_in_scope.outputs.project_id
names = [
"${var.project_prefix}-vault"
]
#Service account should only have permissions for KMS (encryption keys) & storage
project_roles = [
"${data.terraform_remote_state.project_in_scope.outputs.project_id}=>roles/cloudkms.cryptoKeyEncrypterDecrypter",
"${data.terraform_remote_state.project_in_scope.outputs.project_id}=>roles/storage.objectAdmin"
]
}
module "vault_iam_service_accounts_iam" {
source = "terraform-google-modules/iam/google//modules/service_accounts_iam"
version = "6.1.0"
service_accounts = [
module.vault_service_account.email
]
project = data.terraform_remote_state.project_in_scope.outputs.project_id
mode = "authoritative"
bindings = {
"roles/iam.workloadIdentityUser" = [
"serviceAccount:${data.terraform_remote_state.project_in_scope.outputs.project_id}.svc.id.goog[vault/services]"
]
}
}
When I try running this, I'm getting the following error:
Error: Error applying IAM policy for service account 'projects/reference-cde-47d5/serviceAccounts/reference-loki@reference-cde-47d5.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/reference-cde-47d5/serviceAccounts/reference-loki@reference-cde-47d5.iam.gserviceaccount.com': googleapi: Error 400: Identity namespace does not exist (reference-cde-47d5.svc.id.goog)., badRequest
on .terraform/modules/loki_iam_service_accounts_iam/terraform-google-iam-6.1.0/modules/service_accounts_iam/main.tf line 30, in resource "google_service_account_iam_binding" "service_account_iam_authoritative":
30: resource "google_service_account_iam_binding" "service_account_iam_authoritative" {
What I find weird (and the reason I'm creating the issue) is that if I run the gcloud equivalent:
gcloud iam service-accounts add-iam-policy-binding --role roles/iam.workloadIdentityUser --member "serviceAccount:reference-cde-47d5.svc.id.goog[vault/services]" reference-vault@reference-cde-47d5.iam.gserviceaccount.com
Everything works successfully:
Updated IAM policy for serviceAccount [reference-vault@reference-cde-47d5.iam.gserviceaccount.com].
bindings:
- members:
- serviceAccount:reference-cde-47d5.svc.id.goog[vault/services]
role: roles/iam.workloadIdentityUser
etag: BwWmLtVTJtE=
version: 1
Finally, I also checked that the Identity namespace is correctly created when creating the cluster and the SA/binding combo are created after the cluster is finished creating.
My question is, do I have to do some specific configuration inside the module or is there an underlying issue that might be preventing this? (both the SA and the binding are created in the same terraform file and the SA is guaranteed to be created first via depends_on in the outputs).
Hhey,
I'm trying to add bindings to service accounts for Workload Identity through the module in the following way:
When I try running this, I'm getting the following error:
What I find weird (and the reason I'm creating the issue) is that if I run the gcloud equivalent:
gcloud iam service-accounts add-iam-policy-binding --role roles/iam.workloadIdentityUser --member "serviceAccount:reference-cde-47d5.svc.id.goog[vault/services]" reference-vault@reference-cde-47d5.iam.gserviceaccount.com
Everything works successfully:
Finally, I also checked that the Identity namespace is correctly created when creating the cluster and the SA/binding combo are created after the cluster is finished creating.
My question is, do I have to do some specific configuration inside the module or is there an underlying issue that might be preventing this? (both the SA and the binding are created in the same terraform file and the SA is guaranteed to be created first via depends_on in the outputs).